EU data privacy law reform saga lurches on

The LIBE Committee of the European Parliament published on 8th January 2013 a draft 215 page to the EU Commission suggesting no less than 350 amendments to the draft Data Protection Regulation which was first published in January 2012. The report was prepared by its rapporteur Jan – Philipp Albrecht and overall makes a number of key changes which if adopted could have a significant impact for business and generally creates an even stricter regime than the January 2012 document foreshadowed.

Summary of some of the key proposed changes

Legitimate Interests – Article 6 One of the grounds which justifies the processing of data under the existing legislation is if the processing is for the “legitimate interests of the data controller “ . The amendments narrow the circumstances where this will be permitted and also require the publication of the reasons for the data controller believing that its interests override those of the individual . As drafted, the new legitimate interests ground could only be used in limited circumstances and could not be used, for example, in respect of profiling or when processing sensitive data.

Data Protection Officers – Article 35 Under the previous draft a DPO only needed to be appointed where an organisation had more than 250 employees . This has now been amended to any organisation which processes data of more than 500 individuals, which is likely to impact most organisations irrespective of size . In addition, the DPO will be appointed for 4 years ( previously 2 years ).

Jurisdiction over non EU controllers – Article 3 This has been expanded to catch data controllers offering goods and services “irrespective of whether payment is required. “ In addition EU law will apply where there is monitoring of data subjects where before only monitoring of behaviour was required.

Personal data – Article 4.1 The definition has been extended to cover information relating to someone who can be singled out from others and not just identified and so is more likely to catch IP addresses and other data which distinguishes one user from another without necessarily being able to identify the person.

Lead Authority – Article 51 The one stop shop concept has been limited in scope and appears to merely appoint a lead authority as the single point of contact.

Delegated Acts – the number of delegated acts has been reduced and are either covered in the Regulation or the European Data Protection Board can specify.

International Data transfers and adequacy findings – Articles 40-45 A two year time period has been placed on adequacy findings and specific transfers, which may have an impact on the use of Safe Harbor.

Fines – Article 79 The individual regulators will have more discretion regarding fines and additional more serious categories have been added, resulting in 2% of turnover as a fine.

Transparency – Article 11 Information should be provided so it is easy to understand and organisations shall communicate privacy policies through an easily understood icon based mode of description . Use of icons now appears to be mandatory and will result in many policies needing to be re-written.

Profiling – Articles, 14 , 15, and 20There are a number of changes in this area which include:

informing individuals about the existence of profiling and the right to object ( article 14 );

in a subject access request providing information about the consequences of profiling and measures taken ( article 15 ); and

prohibition on profiling of sensitive data or data relating to children or profiling based solely on automated processing ( article 20 ).

Why this matters:

The potential impacts of these changes are significant and could seriously add to the cost and complexity of compliance . There will be a short period to comment on the proposed amendments by the end of February and it is important to engage with industry groups and local regulators . The draft still needs to be agreed by the Parliament and there will then be further discussions and negotiations with the Council and the Commission with a final Regulation still being proposed for 2014 .